System and method for authentication in a mobile communications system

ABSTRACT

The invention concerns authentication to be performed in a telecommunications network, especially in an IP network. To allow a simple and smooth authentication of users of IP networks in a geographically large area, the IP network&#39;s terminal (TE 1 ) uses a subscriber identity module (SIM) as used in a separate mobile communications system (MN), whereby a response may be determined from the challenge given to the identity module as input. The IP network also includes a special security server (SS), to which a message about a new user is transmitted when a subscriber attaches to the IP network. The subscriber&#39;s authentication information containing at least a challenge and a response is fetched from the said mobile communications system to the IP network and authentication is carried out based on the authentication information obtained from the mobile communications system by transmitting the said challenge through the IP network to the terminal, by generating a response from the challenge in the terminal&#39;s identity module and by comparing the response with the response received from the mobile communications system. Such a database (DB) may also be used in the system, wherein subscriber-specific authentication information is stored in advance, whereby the information in question need not be fetched from the mobile communications system when a subscriber attaches to the network.

FIELD OF THE INVENTION

The invention relates to authentication in a telecommunications network,especially in an IP network (IP=Internet Protocol), and also toimprovement of the network's data security features with the aid of theperformed authentication. Authentication means verification of theidentity of the party, such as the subscriber, who has generated data.Using authentication it is also possible to guarantee integrity andconfidentiality of the said data. Authentication may be performed forvarious purposes, such as for checking the right of use of networkservices. The invention is intended for use especially in connectionwith mobile terminals, but with the solution according to the inventionadvantages are also achieved in connection with fixed terminals.

BACKGROUND OF THE INVENTION

The strong growth in number of Internet users has been one of the mostremarkable phenomena in communications in recent years. The rapid growthhas also highlighted defects on the Internet. One of these is the poordata security of the network. The IP protocol version (IPv4) now ingeneral use does not provide any such means, with which it would bepossible to make sure that information arrived from the opposite end didnot change during the transfer or that the information did in factarrive from that source, who claims to have sent the information inquestion. In addition, it is easy to use various tools in the networkfor listening in to the traffic. For these reasons, those systems arevery vulnerable which transmit non-encrypted critical information, e.g.passwords.

The new IP version (IPv6) has internal characteristics that allow safecommunication between Internet users. Because the transition to the newprotocol will be slow, the data security features should be such thatthey are compatible with the present IP version (IPv4), and so that theycan be added to this.

Various such systems have been developed to improve the data securityproperties of the Internet where users can send the informationencrypted to the other party. One such system is the Kerberos, which isa service with which network users and services can authenticate oneanother and with which users and services can bring about encryptedconnections between each other. The Kerberos system is utilised in oneembodiment of the present invention which will be described more closelyhereinafter.

Another current trend is the strongly increasing use of various mobileterminals. Along with this trend it is even more important that theterminals will have access to the data network also when being locatedoutside their own home network. Such an access can essentially improvethe usability of e.g. a portable computer, when the user is not inhis/her usual working environment. Points of access may be located e.g.at airports, in railway stations, in shopping malls or on any otherpublic premises, and the access may be wired or wireless.

Systems of the described kind, which can be used for sending encryptedinformation between parties, are mainly intended for fixed terminals andthey require that the users are registered in advance as users of theservice. It is a problem nowadays that for IP networks supportingmobility of the terminals there is no such existing and functioningauthentication or key management system that would guarantee goodgeographical coverage and at the same time allow the user easily to havean authenticated and safe connection available to himself/herself in anarea which is geographically as large as possible.

SUMMARY OF THE INVENTION

It is a purpose of the invention to eliminate the drawback describedabove and to bring about a solution, with which users of atelecommunications network, such as an IP network, can be simply andsmoothly authenticated, almost irrespectively of where their networkaccess point is located geographically at each time.

This objective is achieved through the solution defined in theindependent claims.

The invention utilizes the authentication method of an existing mobilecommunications network, especially the GSM network (Global System forMobile Communications), in an IP network (or in any other network whichis separate from the mobile communications network). This means that auser of the IP network in his IP network terminal uses the same (or anessentially similar) subscriber identification unit (SIM) as in hismobile phone or station. The idea is to fetch the subscribersauthentication data from the mobile communications network over to theIP network side and to carry out the authentication in the IP networkbased on this data. The mobile network is not necessarily a GSM network,but it may be some other mobile communications network, whereinauthentication is used essentially in the same manner, e.g. a DCSnetwork (Digital Cellular System), a GPRS network (General Packet RadioService, which is a sub-network of the GSM) or a UMTS network (UniversalMobile Telecommunications System).

In an advantageous embodiment of the invention, the user is registeredin response to a successful authentication into a separate keymanagement system, preferably a Kerberos system, whereby it is possiblethen easily to bring about an encrypted channel between userscommunicating with one another. This is especially important when atleast a part of the transmission path consists of a radio path.

Owing to the solution according to the invention, users of the IPnetwork are easily and smoothly authenticated and, in addition, theusers are able to avail themselves of efficient security features in ageographically large area. This is due both to the widespread use of GSMnetworks and to the fact that roaming agreements between operators allowauthentication of subscribers entering a foreign network. E.g. today(1998) a Finnish GSM operator has common traffic agreements withoperators working in more than 60 countries.

Owing to the solution according to the invention, ISP (Internet ServiceProvider) operators typically also providing mobile communicationservices need not separately procure authentication and key managementsystems in the IP network, but they may use also for this purpose thefeatures of the mobile communications network which they operate.

With the solution according to the invention such an advantage is alsoachieved in connection with fixed terminals, that functions built inconnection with the mobile communications network can be utilised inconnection with Internet services. E.g. an organisation working both asa mobile communication operator and as an ISP operator may use chargingservices built in connection with the mobile communications network forcharging for the Internet services which he provides. When also fixedterminals are authenticated with the method according to the invention,much certainty is achieved that the bill will be directed at the correctsubscriber. In addition, the subscriber can be authenticated, even if heattaches to the network from a foreign terminal.

A BRIEF DESCRIPTION OF THE DRAWINGS

In the following, the invention and its preferred embodiments will bedescribed more closely referring to the examples shown in FIGS. 1 . . .10 in the appended drawings, wherein

FIG. 1 illustrates an operating environment of the method in accordancewith the invention,

FIG. 2 shows an exchange of messages between various elements, when theterminal attaches to the network or detaches from the network,

FIG. 3 illustrates the structure of those messages, with which theserver of the system is told that the user has attached to the networkor has detached from the network,

FIG. 4 shows an exchange of messages taking place between the variouselements during authentication,

FIG. 5 illustrates the general structure of the messages shown in FIG.5,

FIG. 6 illustrates those elements of the system, which are used foracquiring a connection-specific encryption key between two terminals,

FIG. 7 shows an exchange of messages taking place in order to obtain aninitial ticket from the Kerberos server,

FIG. 8 illustrates those parts of a terminal which are essential fromthe viewpoint of the invention,

FIG. 9 shows an exchange of messages taking place in order to obtain anencryption key for communication between two terminals, and

FIG. 10 illustrates an alternative embodiment of the system.

DETAILED DESCRIPTION OF THE INVENTION

In the following the invention will be described with reference to anetwork environment, wherein mobility of the subscribers is supportedwith the aid of a Mobile IP protocol (MIP hereinafter). The MIP is sucha version of the existing IP, which supports mobility of the terminals.(The MIP principle is described e.g. in the RFC 2002, October 1996, orin the article Upkar Varshney, Supporting Mobility with Wireless ATM,Internet Watch, January 1997.)

The MIP is based on the idea that each mobile host or mobile node has anagent (home agent) allocated for itself, which relays packets to thecurrent location of the mobile node. When the mobile node moves from onesub-network into another, it registers with the agent (foreign agent)serving the concerned sub-network. The last-mentioned performs checkswith the mobile node's home agent, registers the mobile node and sendsthe registration information to it. Packets addressed to the mobile nodeare sent to the mobile node's original location (to the home agent),thence they are relayed further to the current foreign agent, which willforward them to the mobile node.

FIG. 1 shows a typical operating environment of the method in accordancewith the invention. The heart of the system is the security server SS,which is connected both to the Internet and to a proxy server HP, whichhas access to a separate mobile network MN, which in this example is aGSM network. The proxy server forms a network element, which (in amanner to be described later) relays traffic between the security serverand the home location registers HLR of mobile communications networks,which home location registers HLR are located in the home networks ofthe subscribers. In practice, both the proxy server and the securityserver are located on the premises of the network operator, e.g. in thesame room, so that even if there is an IP connection between thesecurity server and the proxy server, it is a secured connection. As theGSM network is known as such and the invention does not require anychanges to be made in it, it is not described more closely in thisconnection.

Users moving in the area of the system can use portable computers, PDAequipment, intelligent phones or other such terminals. Only one terminalTE1 is illustrated by reference mark CLIENT in the figure. For thepresent purposes, client generally means an object using the servicesprovided by the network and carried out by the network servers. Clientoften means a program which connects with a server on behalf of thenetwork user.

Two sub-networks are shown in the figure and in practice they may bee.g. Ethernet local area networks, wherein TCP/IP packets aretransmitted: the user's home network HN and the foreign network FN, towhich terminal TE1 is assumed to be connected. These sub-networks areboth connected to the Internet by way of a gateway GW (a router). Thehome network includes the home agent HA of the said mobile host and theforeign network correspondingly includes the foreign agent FA. Accessesto the sub-networks take place through access points AP, e.g. in awireless manner, as is shown in the figure.

The terminals are formed by two parts in the same way as the ordinaryGSM telephone: of the subscriber device proper, e.g. a portable computer(with software) and of the SIM (Subscriber Identity Module), wherebyfrom the viewpoint of the network the subscriber device becomes afunctioning terminal only when the SIM has been pushed into it. In thiscase described as an example, the SIM is the subscriber identity modulefor use in the GSM network. A terminal may have access only to the IPnetwork, or it may be a so-called dual mode device, which has accessboth to the IP network and to the GSM network. The access to the IPnetwork takes place e.g. with the aid of a LAN card in the terminal andto the GSM network with the aid of a GSM card, which in practice is astripped telephone, which is located e.g. in the computer's PCMCIAexpansion slot.

In a preferred embodiment of the invention, there is also a Kerberosserver KS in connection with the security server which is known as suchand which is used for implementing encrypted connections in a manner tobe described hereinafter. The security server and the Kerberos servermay be physically in the same machine.

For the security server to know when the user enters or exits the IPnetwork, a channel is brought about between the security server and thehome agent in the manner shown in FIG. 2. In accordance with the MIPprotocol, foreign agent FA continuously sends broadcast messages to itsown subnetwork, which messages are called by the name of “agentadvertisement” and which are indicated by the reference mark AA in thefigure. When the terminal attaches to the said sub-network, it willreceive these messages and conclude from them whether it is in its ownhome network or in some other network. If the terminal finds that it isin its home network, it will function without any mobility services.Otherwise the terminal will get a care-of address in the foreign networkin question. This address is the address of that point in the network towhich the terminal is temporarily connected. This address at the sametime forms the termination point of the tunnel leading to the saidterminal. Typically, the terminal gets the address e.g. from theabove-mentioned broadcast messages, which the foreign agent is sending.Thereupon the terminal sends a RR (Registration Request) to its own homeagent through foreign agent FA. The message contains, among otherthings, that care-of address, which the terminal just received. Based onits received request message, the home agent updates the said terminal'slocation information in its database and through the foreign agent itsends a Registration Reply R_Reply to the terminal. In the reply messagethere is all the necessary information indicating how (on whatconditions) the home agent has accepted the registration request.

All the messages between the terminal, the foreign agent and the homeagent which were described above are normal messages in accordance withthe MIP protocol. The mobile node may also register directly with thehome agent. The above-mentioned RFC describes the rules, which determinewhether the mobile node will register directly with the home agent orthrough the foreign agent. If the mobile node gets a care-of address inthe manner described above, the registration must always be made throughthe foreign agent. According to the MIP protocol, authentication is alsoperformed in connection with the registration with the purpose to reducethe occurrence of errors in connection with the registration. Theregistration is based on a check value calculated from the registrationmessage (from the registration request or reply), and the registrationmust be made only between that mobile node and that home agent, whichhave a shared fixed key (which is agreed upon in advance). Under thesecircumstances, the foreign agent is not necessarily able to authenticatethe mobile node. This problem is aggravated, if as large a geographicalcoverage as possible is an objective in the system.

According to the invention, a facility is added to the home agent to theeffect that the home agent provides the security server with informationabout the terminal attached to the network, after the registrationrequest message has arrived from the foreign agent. This message isindicated in the figure by reference mark MOB_ATTACH. Correspondingly,the home agent provides the security server with information about theterminal which has left the network after the terminal has detached fromthe network (after the terminal has detached from the network or afterthe lifetime of the address given to it has run out). In the figure,this message is indicated by the reference mark MOB_DETACH. To each typeof message the security server sends an acknowledgement message(MOB_ACK). As regards their purpose of use, the MOB_ATTACH andMOB_DETACH messages correspond to the IMSI attach/detach procedures usedin a GSM network.

The home agent monitors the replies arriving from the security serverand sends the messages again (with the same parameters), should noacknowledgement message arrive from the security server within apredetermined time, e.g. 30 seconds.

FIG. 3 illustrates the structure of the MOB_ATTACH, MOB_DETACH andMOB_ACK messages. In the messages there is a type field 31, whichidentifies the type of the message, a number field 32, which containsthe random number or sequence number identifying the session, and anaddress field 33, which contains the client's IP address. Thelast-mentioned field is absent from the acknowledgement message. Themessages are transmitted in fields reserved for the payloads of IPdatagrams.

Thus, when the terminal has attached to the network, the security serverreceives from the home agent information about the IP address of theconcerned terminal. Thereupon follows authentication of the client,which will be described in the following with reference to FIG. 4. Forthe authentication, the security server first asks the client for theIMSI (International Mobile Subscriber Identity), which is stored on theSIM (the AUTH_ID_REQ message). To this the client replies by giving hisIMSI (which is a 9-byte identifier in accordance with the GSMspecification) in the AUTH_ID_RSP reply message. The inquiry travelsthrough the home agent to the termination point of the abovementionedtunnel, but the reply comes directly from the terminal to the securityserver.

If the client's IP address does not change often, it is preferable tostore in the security server the IMSI identifiers corresponding to theIP addresses, whereby identifiers need not be moved around unnecessarilyin the network. Thus, the above-mentioned messages are not necessary.

When the terminal has stated its IMSI identifier or when the securityserver has fetched it from its database, the security server starts theactual authentication. To enable authentication of the terminal's SIM,there must be a connection between the security server and the AuC(Authentication Center) located in connection with the home locationregister HLR of the subscribers own GSM network. This is implementedwith a proxy server HP, which functions as a connecting network elementbetween the IP network and the GSM network, more precisely between theIP network and the SS7 signaling network utilized by the GSM network.The GSM network service needed in the authentication isMAP_SEND_AUTHENTICATION_INFO (GSM 9.02, v. 4.8.0). This service isimplemented by using the proxy server HP, which may be located on thepremises of the local GSM operator. The security server transmits to theproxy server a SEC_INFO_REQ authentication request message, whichcontains a session identifier and the IMSI subscriber identifier. Theproxy server for its part transmits to the authentication centre AuC aninquiry message in accordance with the MAP (Mobile Application Part)protocol, which inquiry message is used to request an authenticationtriplet and which is normally transmitted between the VLR and the HLR.In response to this inquiry message, the HLR returns to the proxy servera normal authentication triplet, which contains a challenge (RAND), aresponse SRES (Signed Response) and a key Kc (the connection-specificencryption key used in the GSM network). The proxy server relays thetriplet further to the security server in a SEC_INFO_RSP message. Thesecurity server stores the triplet and transmits the challenge (theAUTH_CHALLENGE_REQ message) further to the terminal's SIM, which basedon this message generates a response (SRES) and a key Kc. The terminalstores the key and transmits the response (the AUTH_CHALLENGE_RSPmessage) (SRES) back to the security server.

In the terminal there is preferably a database, wherein the challengesare stored. In this way it is possible to make sure that one challengewill be used just once. In this manner it is possible to prevent anyonefrom pretending to be a security server by snatching from the networkthe (non-encrypted) challenge and the response and by finding out thekey Kc from these. If the same challenge occurs once again, no replywill be given to this challenge. The security server may also filter outthose challenges which have already been used, and when required it mayask for a new authentication triplet from the GSM network, so that nosuch challenge which has already been used will be transmitted to theterminal.

The proxy server HP functions in the system as a virtual visitorlocation register VLR, because at least as regards the authenticationtriplet inquiries it appears from the home register like a networkelement of the same kind as the genuine visitor registers of the GSMnetwork. The proxy server also functions as a filter allowing access tothe GSM system's signaling network only to authentication tripletinquiries. The proxy server does not either interfere with any otherinquiries from the home register on the GSM network side.

FIG. 5 illustrates the general structure of the messages presented inFIG. 4. In the messages there is a type field 51, which identifies thetype of the message, a number field 52, which contains the random numberor sequence number identifying the session, and a payload field 53, thelength of which varies depending on which message is at issue. Inmessages between the security server and the terminal, the two firstfields occur in all messages, but there is no payload field in theAUTH_ID_REQ message. In the AUTH_ID_RSP message the length of thepayload field is 9 bytes (the length of IMSI is 1+8 bytes), in theAUTH_CHALLENGE_REQ message its length is 16 bytes (the length of RAND is16 bytes) and in the AUTH_CHALLENGE_RSP message its length is 4 bytes(the length of SRES is 4 bytes). In the messages between the securityserver and the proxy server, the length of the payload field is 9 bytes(IMSI) in the case of the SEC_INFO_REQ message and n×28 bytes in thecase of the SEC_INFO_RSP message (in the triplet there is a total of 28bytes and the network elements are generally configured so that theywill transmit 1 . . . 3 subscriber-specific triplets at a time). Asmentioned above, normal GSM network signaling is used between the proxyserver and the home location register HLR.

The security server compares the response it received from the terminalwith the response arrived in the triplet and, if it is found in thecomparison that the responses are the same, the authentication issuccessful.

In response to a successful authentication, the security server starts aregistration with the Kerberos server. In this context the Kerberosserver means a process, which provides a Kerberos service. The Kerberosserver is preferably located in connection with the security server, asis shown in FIG. 1.

Kerberos is a system intended for authentication of network users andservices. It is a trusted service in the sense that its every clienttrusts that the system's assessment of all its other clients is correct.Since the Kerberos system is known as such, and its operation is notchanged in any way, it will not be described in detail in this context.The system is described e.g. in the document Steiner, Neuman, Schiller:Kerberos: An Authentication Service for Open Network Systems, Jan. 12,1988, from which the interested reader may find background information,if he so desires. In the following description the same ways of markingwill be used as in the above-mentioned document. The description isbased on the Kerberos version 4.

c → client, s → server c-addr → client's network address tgs →ticket-granting server K_(x) → x's private key K_(x,y) → session key forx and y {abc}K_(x) → abc encrypted using x's personal key Tx,y → x'sticket for using y.

FIG. 6 illustrates the objects of the Kerberos and authenticationapplications. It is assumed in the figure that the system has twoclients, A and B. Each client may be a terminal, which has beenauthenticated by the security server in the manner described above, whenit attached to the IP network, or one may be a “permanently”authenticated client, e.g. a server. The Kerberos application includestwo parts: client program KC, which is located at the terminal, andserver program KS, which is located at the security server. The serverprogram also includes a ticket-granting server TGS. Correspondingly, theauthentication application includes two parts: the client program AC,which is located at the terminal, and the server program AS, which islocated at the security server. Communication takes place with the aidof IP/MIP/IP-SEC stacks, which will be described in greater detailbelow.

The following is a description of how the Kerberos protocol is used forbringing about a connection-specific key between terminals A and B.

When the security server has found that the authentication wassuccessful, it will start registration of the Kerberos client with theKerberos server. In practice, this happens in such a way that thesecurity servers authentication block AS registers the key Kc arrived inthe authentication triplet (a) as the client's password and (b) as apassword into the service formed for the client's IP address or for theIMSI subscriber identifier. The service is given some name which isdetermined in advance.

Then the client may request a ticket for the ticket-granting serverusing the key Kc. This exchange of messages is shown in FIG. 7. Afterthe client has received the key Kc, it transmits to the security server(to the Kerberos server) a message, with which it requests an initialticket of the Kerberos system. There may be a brief predetermined delaybetween the reception of the key and the transmission of the message, sothat the security server will have time first to perform theregistration with the Kerberos server. After the delay, the terminaltransmits to the security server a request in accordance with theKerberos protocol, which always contains the client's identity (the IMSIor IP address) and the name tgs of a certain special service, theticket-granting service. Upon receiving this inquiry the Kerberos serverchecks whether it knows the client. If it does, it will generate arandom connection-specific key K_(c,tgs), which will be used later indata transmission between the client and the ticket-granting server.Thereupon the Kerberos server generates a ticket Tc,tgs, with which theclient may use the ticket-granting service. This ticket contains theclient's name, the name of the ticket-granting server, the current timeof day, the lifetime of the ticket, the client's IP address and theconnection-specific key just generated. Using the methods of markingdescribed above, the contents of the ticket can be presented as followsT_(c,tgs)={c, tgs, timestamp, lifetime, c-addr, K_(c,tgs)}. This ticketis encrypted using key K_(tgs), which is known only to theticket-granting server and to the Kerberos server. Then the Kerberosserver transmits as a response to the client a packet, which containsthe encrypted ticket and a copy of the connection-specific keyK_(c,tgs). The response is encrypted using the client's own key Kc. Theterminal stores the ticket and the session key for future use.

When the terminal has stored the ticket and the session key, it hasaccess during the ticket's lifetime to the ticket-granting service andit is prepared to be in connection with a third party.

FIG. 8 illustrates those functional blocks of a terminal, which areessential from the viewpoint of the invention. The terminal is inconnection with the network by way of the IP/MIP/IP-SEC protocol stack.IP/MIP/IP-SEC is such a known TCP/IP stack, which has built-in mobile IPcharacteristics and encryption functions. Seen from above, this stackappears just like an ordinary IP stack, but from below (from the networkside) the said stack transmits encrypted information in accordance witha certain security policy. This security policy is determined by aseparate security policy block SPB, which controls the IP/MIP/IP-SECstack by indicating to the stack the other objects in the network towhich encrypted information must be sent. These objects are generallydefined in the security policy block with the aid of the terminal's IPaddress and port number. The definition can be made even finer by alsodefining those user identifiers, for which the encryption is done. Inpractice, the security policy block is built into the IP/MIP/IP-SECstack, but in a functional sense it is a block in its own right.

In addition to the security policy block, the terminal contains a keymanagement block KM, which attends to management of keys. In connectionwith the key management block there is a database containing all theencryption keys used by the terminal. The key management block can beimplemented e.g. with the aid of the known PF_KEY API (API=ApplicationProgramming Interface). PF_KEY is a generic application programminginterface, which may be used not only for IP layer security services,but also for other security services of the network. This API determinesthe socket protocol family, which the key management applications use tocommunicate with parts of the operating system relating to the keymanagement. Since the invention is not related to the known PF_KEYprotocol, it will not be described more closely in this context. Theprotocol is described in the document McDonald, Metz, Phan: PF_KEYManagement API, version 2, 21 Apr., 1997, where the interested readerwill find background information.

In the key management block KM there are specific definitions for howand with which key the encryption is carried out to each networkaddress. This definition may be made e.g. so that for each individual IPaddress and port that protocol and that key are stated which must beused when in connection with the port in question.

When a packet which is to be transmitted outwards arrives in theIP/MIP/IP-SEC stack, the stack reads the packet's destination addressand asks the security policy block SPB which is the encryption policy asregards a packet carrying the address in question. In response, thesecurity policy block tells the IP/MIP/IP-SEC stack whether encryptionis to be made, and if so, with which method the encryption is to becarried out. This information is relayed to the key management block KM.

In the initial stage, the user has determined those connections for thesecurity policy block, on which encryption must be used. If the securitypolicy block states that encryption must be used and if the keymanagement block finds that there is as yet no key for the terminal withwhich a connection is desired, the key management block will send a keyrequest to the Kerberos client KC, who will request a server ticket forthe concerned terminal from the security servers ticket-grantingservice. This signalling is illustrated in FIG. 9. The terminal (theKerberos client) sends to the ticket-granting server such a request inaccordance with the Kerberos protocol, which contains the name (s, e.g.terminal B) of that server, for which the ticket is desired, a ticketT_(c,tgs) encrypted with the ticket granting server's own key K_(tgs)for access to the ticket-granting service and an authenticator Ac, whichis encrypted with a connection-specific key K_(c,tgs). The authenticatoris a data structure, which contains the client's name and IP address aswell as the current time. Observing the used method of marking Ac={c,c-addr, timestamp}.

The ticket-granting server checks the authenticator's information andthe ticket T_(c,tgs). If the ticket is all right, the ticket-grantingserver generates a new random session key K_(c,s), which the client mayuse together with a third party of his choice. Then the ticket-grantingserver forms a new ticket T_(c,s) for the said third party, encrypts theticket using the said third party's own key K_(s), which is the same asthe concerned subscriber's key Kc described above, and transmits theencrypted key together with the session key to the terminal. The entirereply is encrypted using key K_(c,tgs).

Upon receiving the reply message, the terminal unpacks the packet,transmits the first part {T_(c,s)}K_(s) to the third party (to terminalB) and stores the new session key K_(c,s) in the key database. Theterminal of the third party gets the recently generated session keyK_(c,s) from the ticket by first decrypting the ticket with its own keyKc. Thereafter the new session key is available to both terminals andencrypted data transmission may begin.

When the Kerberos client has started his activity (when the client isregistered with the Kerberos server), it must inform the IP/MIP/IP-SEClayer that it is able to serve session key requests. By using the PF_KEYprotocol, this is done in such a way that the Kerberos client opens aspecial socket address into the kernel of the operating system andregisters with the kernel with a SADB_REGISTER message. Then the PF_KEYprotocol sends a SADB_ACQUIRE message each time when the key is neededfor some outbound interface. When receiving this message, the Kerberosclient will act in the manner described above, that is, he sends arequest to the ticket-granting server, of the received response it sendsthe part intended for the other party to the opposite end of theconnection and relays the received session key to the key managementblock. In addition, the Kerberos client listens to a certain socketaddress in order to notice any tickets that may arrive from otherobjects in the network. Having received such a ticket packet, itacknowledges reception of the packet, unpacks the packet and relays thenecessary keys to the key management system, whereby these keys can beused when connections exist with the concerned peer.

When the terminal detaches from the network (message MOB_DETACH), thesecurity server will remove both registrations from the Kerberos server.

In practice, the terminal and the security server must have certain portnumbers open for non-encrypted data transmission. Such ports are theport, through which authentication messages are transmitted between theterminal and the server (FIG. 4), the port, through which tickets aretransferred to the Kerberos clients, and the port, through which ticketrequests are transferred.

The authentication triplet can be sought in various ways. In asmall-scale embodiment it is possible to use a virtual “HLR database”,wherein a suitable number of authentication triplets is stored inadvance. E.g. 10000 triplets from each user would require 280 kilobytesof memory per user. Thus, e.g. a 6 GB disk could accommodateauthentication triplets for more than 21000 users. The authenticationtriplets may be loaded in advance when the user gets the service, byleaving the SIM module for a few hours in a smart card reader, whichsupplies the challenges to the module. The authentication tripletsformed of the obtained responses are stored in the database using themodule's information. This method also works with all SIM modules,irrespective of the operators. The database may be located e.g. inconnection with the security server. Thus, it is not necessary to seekthe authentication triplet(s) from the mobile communications network,but subscriber-specific authentication triplets can be stored in advancein a database DB located in connection with the security server (comparewith FIG. 1). This means that proxy servers are not necessarily neededat all. For some subscribers there may also be ready-made authenticationtriplets in the database and for some they may be fetched in real timefrom the mobile communications system. Authentication triplets can alsobe fetched in advance from the mobile communications system and placedin the database.

In principle, it is also possible to copy each user's SIM module and usethe copy in connection with the security server for authentication ofthe user (whereby no inquiry is made from the mobile communicationsnetwork).

These two methods described above make it possible for the used SIMmodules to be modules dedicated solely for this purpose, and they do notnecessarily relate to the mobile communications network's subscriber.

The necessary authentication data can also be obtained from the GSMnetwork e.g. from the connection between the MSC (Mobile SwitchingCentre) and the BSC (Base Station Controller). Thus, the proxy serverneed not necessarily emulate the visitor location register VLR, as waspresented above, but it may also function as a network element of thesame kind as the GSM network's base station controller. Such analternative is illustrated in FIG. 10, where the said network element ismarked with the reference mark BP. In this case, the proxy server isthus a virtual base station controller, which is connected to the MSC(Mobile Switching Centre) in the same way as the GSM network's normalBSCs (Base Station Controllers). Looking from the mobile switchingcentre, the proxy server looks like an ordinary base station controllerat least as regards the signalling relating to authentication.

However, it is a problem in this second alternative that it requiresconsiderably more complex signalling between the proxy server and theGSM network than the first alternative (FIG. 1). Besides, in consequenceof the authentication of the second alternative, the user will in theGSM system move into the area of the proxy server BP emulating a basestation controller, but this is not a real base station controller inthe sense that it would be able also to switch calls. Thus, thissolution can be used only in connection with data services, and theterminal can not be the kind of dual mode equipment as mentioned above.

Although the invention was described in the foregoing with reference toa MIP enabled network, the solution according to the invention is notbound to this protocol. If the protocol to be used is IPv6, then thereare no proper agents in the network. Hereby the information about whenthe user is in the network must be sought from the routing tables of therouter in the user's home network. In practice, this means that thenetwork must include a separate “locating agent”, which by monitoring or“pinging” the router will notice that the user has entered the networkand in consequence of this will start authentication by sending to thesecurity server a message (MOB_ATTACH) about the new user. It isprobable, however, that router manufacturers are designing a protocolfrom which it emerges when the user is in the network.

Although the invention was described above with reference to theexamples shown in the appended drawings, it is obvious that theinvention is not limited to these, but it may be modified within theinventive idea presented in the appended claims. Authentication need notnecessarily be performed in order to set up an encrypted connectionbetween users, but as a result of a successful authentication one mayperform e.g. registration with a mail server before transmitting e-mailmessages to the user's machine. In this way a more reliableauthentication is achieved than by the present methods based onpasswords. In addition, in connection with the access points there maybe local servers, which function as proxy servers for the securityserver proper, or the system may include more than one security server.Instead of the Kerberos system it is also possible to use e.g. publickey management, which is based on a x.500-database and on x.509certificates.

1. Authentication method for telecommunication networks, especially forIP networks, in accordance with which method the identity of asubscriber attached to the network is authenticated, characterized by:in a network terminal, using a subscriber identity module essentially ofthe same kind as in a known mobile communications system, which identitymodule is such that a response is obtained as a result of a challengegiven to it as input, using a special security server in the network sothat when a terminal attaches to the network, a message of a new user istransmitted to the security server, fetching subscriber authenticationinformation corresponding to the new user from the mobile communicationssystem to the network, which authentication information contains atleast a challenge and a response, wherein after the response to thechallenge is generated by the network terminal, the challenge is storedon the network terminal to ensure that the challenge is used once, andperforming authentication based on the authentication informationobtained from the mobile communications system by transmitting thechallenge to the terminal through the network, by checking that thechallenge is unique from challenges used in previous authenticationexchanges, by generating, if the challenge is unique and is not storedon the network terminal, the response from the challenge in the identitymodule of the terminal and by comparing the response with the responsereceived from the mobile communications system.
 2. Method as defined inclaim 1, characterized in that fetching of the subscribersauthentication information from the mobile communications system isstarted from the security server in response to the message.
 3. Methodas defined in claim 1, characterized in that in response to a successfulauthentication, registration of the subscriber is performed as a clientof a separate key management system.
 4. Method as defined in claim 3,characterized in that a known Kerberos system is used as the keymanagement system.
 5. Method as defined in claim 4, characterized inthat the subscriber-specific authentication information obtained fromthe mobile communications system also includes a key, whereby thesubscriber is registered as a client of the Kerberos system so that thekey is registered (a) as the clients password and (b) as a password fora service formed for the clients IP address or for a subscriber identityused in the mobile communications system.
 6. Method as defined in claim1, characterized in that the subscribers authentication information isfetched with the aid of a separate proxy server, which functions as anetwork element emulating a visitor location register of the mobilecommunications system and which requests the authentication informationfrom an authentication center located in connection with a subscribershome location register in the same way as the mobile communicationssystem's own visitor location register.
 7. Method as defined in claim 1,characterized in that the subscribers authentication information isfetched with the aid of a separate proxy server, which functions as anetwork element emulating the mobile communications system's basestation controller and which is in connection with the mobilecommunications system's mobile switching centre for fetching theauthentication information from an authentication center located inconnection with a subscribers home location register in the same way asthe authentication information is fetched to the mobile communicationssystem's own base station controller.
 8. Authentication system fortelecommunications networks, especially for IP networks, which systemincludes authentication means for authenticating the identity of asubscriber who has attached to the network, characterized in that theauthentication means includes: a subscriber identity module connected tothe network's terminal, the module being essentially similar to thesubscriber identity module used in a separate mobile communicationssystem, whereby a response can be determined from a challenge given tothe identity module as input, messaging means for sending a message whena terminal attaches to the network, a special security server forreceiving the message, means for requesting authentication informationcorresponding to a subscriber from the mobile communications system,which information contains at least a challenge and a response, whereinafter the response to the challenge is generated by the networkterminal, the challenge is stored on the network terminal to ensure thatthe challenge is used once, and on the side of the network, datatransmission and checking means for transmitting the challenge throughthe network to the identity module and for checking that the challengeis unique from challenges used in previous authentication exchanges, forreturning the response from the terminal to the network, if thechallenge is unique and is not stored on the network terminal, and forcomparing the received response with the response received from themobile communications system.
 9. System as defined in claim 8,characterized in that the identity module is the subscriber identitymodule used in the GSM network.
 10. System as defined in claim 8,characterized in that the messaging means are adapted into a home agentin accordance with the mobile IP network.
 11. System as defined in claim8, characterized in that the means for requesting authenticationinformation include the security server and a proxy server, which isconnected to the GSM network.
 12. System as defined in claim 11,characterized in that the proxy server functions as a network elementemulating the visitor location register of the GSM network.
 13. Systemas defined in claim 11, characterized in that the proxy server functionsas a network element emulating the base station controller of the GSMnetwork.
 14. System as defined in claim 11, characterized in that thesystem further includes a Kerberos server which is known as such and asthe user of which the subscriber will be registered as a result of asuccessful authentication.
 15. Authentication method fortelecommunications networks, especially for IP networks, in accordancewith which method the identity of a subscriber attached to the networkis authenticated, characterized by: in a network terminal, using asubscriber identity module essentially similar to the one used in aknown mobile communications system, which identity module is such that aresponse is obtained as a result of a challenge given to it as input,storing subscriber-specific authentication information in a database,the information being in that way essentially similar to the informationused for authentication in the mobile communications system that itcontains at least a challenge and a response, wherein after the responseto the challenge is generated by the network terminal, the challenge isstored on the network terminal to ensure that the challenge is usedonce, using a special security server in the network so that when aterminal attaches to the network, a message about the new user istransmitted to the security server, in response to the message,retrieving authentication information of the subscriber corresponding tothe new user from the database, and performing authentication based onthe authentication information obtained from the database bytransmitting the challenge through the network to the terminal, bychecking that the challenging is unique from challenges used inpreviously authentication exchanges and is not stored in the networkterminal, by generating, if the challenge is unique, a response from thechallenge in the identity module of the terminal, and by comparing theresponse with the response obtained from the database.
 16. Method asdefined in claim 15, characterized in that the database is stored inconnection with the security server.
 17. Method as defined in claim 15,characterized in that in response to a successful authentication,registration of the subscriber is performed as the user of a separatekey management system.
 18. Method as defined in claim 17, characterizedin that a known Kerberos system is used as the key management system.19. Authentication system for telecommunications networks, especiallyfor IP networks, which system includes authentication means forauthentication of the identity of a subscriber attached to the network,characterized in that the authentication means includes: a subscriberidentity module, which is connected to a network terminal and which isessentially similar to the subscriber identity module used in a separatemobile communications system, whereby a response can be determined fromthe challenge given as input to the identity module, messaging means forsending a message when a terminal attaches to the network, a specialsecurity server for receiving the message, database means which includea database, wherein subscriber-specific authentication information isstored, which is in such a way essentially similar to the informationused for authentication in the mobile communications system that itincludes at least a challenge and a response, and retrieval means forretrieving subscriber-specific authentication information from thedatabase in response to the message, wherein after the response to thechallenge is generated by the network terminal, the challenge is storedon the network terminal to ensure that the challenge is used once, andon the side of the network, data transmission and checking means fortransmitting the challenge through the network to the identity moduleand for checking that the challenge is unique from challenges used inprevious authentication exchanges, if the challenge is unique and is notstored on the network terminal, for returning the response from theterminal to the network, and for comparing the received response withthe response received from the database.
 20. System as defined in claim19, characterized in that the identity module is a subscriber identitymodule sed in the GSM network.
 21. System as defined in claim 19,characterized in that the messaging means are adapted into a home agentin accordance with the mobile IP network.
 22. System as defined in claim19, characterized in that the system further includes a Kerberos server,which is known as such and as the client of which the subscriber isregistered as the result of a successful authentication.